Follow us

Description:https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-nnp.pdf With VoIP devices finding their way into the majority of major enterprises and a significant number of residential installations, the possible consequences of a security vulnerability that can be leveraged by malicious hackers are ever increasing. While the security of data and voice traffic has been extensively promoted and tested the security of the devices themselves has been poorly tested at best. A remote vulnerability in a VoIP device could subvert all other VoIP security and as a result extensive testing of both VoIP device software and hardware is needed if we are to prevent future intrusions.

During this talk I will outline why the security of the software powering VoIP networks is of critical importance and why businesses, developers and security auditors need to pay more attention to the software they are deploying, developing and testing in real world installations. I will show the need for an automated, black box, protocol compliant and open source testing suite. I will then present VoIPER, a cross platform, easy to use toolkit that can automatically and extensively test VoIP devices as well as providing extensive target management, logging and crash detection critical to modern security testing. VoIPER includes a fuzzing suite which is fully protocol aware and can generate hundreds of thousands of tests for the major VoIP protocols. Unlike many attempts at fuzzing VoIP, VoIPER can interact with the devices under test in a fully protocol compliant fashion and potentially test their entire state spaces. Its classes are easy to use and extendable to allow users to piece together protocol compliant tests and integrate them with the main test suite.

VoIPER has been used to discover security vulnerabilities in every device tested during its initial testing phase including soft-phones, hard-phones, gateways and servers.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.